Security Advisory 8

Date: 2016-05-23

A potentially significant security issue has been reported on all versions of Alfresco. Alfresco has developed a fix for Enterprise Edition and released it via the Service Pack process. Alfresco strongly recommends all administrators immediately apply the provided fixes. All users of Alfresco Community Edition should upgrade to 201605 GA. Details of this issue are available under the heading “ImageMagick Vulnerability”.

A significant security issue with upgrades has also been found. When upgrading from a previous version of Alfresco to Alfresco 5.1 containing bcrypt password hashing, the administrator password can be reset to the default value. Be sure to set your password to something secure after upgrading to Alfresco Community Edition releases 201512 EA or newer. Details of this issue are available under the heading 'Admin Password is Reset after Upgrade to 5.1.x'.

A series of medium-impact security issues have also been raised, potentially exposing Alfresco users to attacks through HTML injection. The details for this class of issues and their fixes are available under the heading 'HTML Injection Issues'.

All of these vulnerabilities are fixed in the latest releases of Alfresco.

ImageMagick Vulnerability

Severity: High

Impact: Remote code execution.

Exploitable: Remotely by users with upload privileges.

Related Issues: ACE-5358

Affects: All currently active versions of Alfresco prior to the fix versions listed below are impacted by this issue.

Fixed in: Alfresco has released hotfix versions on the latest service pack for all the currently supported major versions: Alfresco One versions 5.1.0.3, 5.0.3.5, 4.2.6.1, 4.1.10.11, 3.4.14.23. Alfresco Community Edition 201605 GA which includes Alfresco Platform 5.1.g.

Description

A serious security issue in ImageMagick has been found and widely publicized—nicknamed 'ImageTragick' (see https://imagetragick.com for more details).

Alfresco uses Imagemagick in all versions, and this vulnerability can allow an attacker to perform remote code execution (RCE). Out of the vulnerabilities listed on imagetragick.com, we have found that Alfresco could be vulnerable to CVE-2016-3714 and we have taken actions to prevent that vulnerability from being exploited.

Mitigation Strategies: The recommended mitigation for this vulnerability is to modify the policy.xml file located in the ImageMagick folder to include the following section, and then restart Alfresco. This is the same fix we applied in the Alfresco Platform 5.1.g. No changes were required in Share.

 <policymap>
   <policy domain='coder' rights='none' pattern='EPHEMERAL' />
   <policy domain='coder' rights='none' pattern='URL' />
   <policy domain='coder' rights='none' pattern='HTTPS' />
   <policy domain='coder' rights='none' pattern='MVG' />
   <policy domain='coder' rights='none' pattern='MSL' />
   <policy domain='coder' rights='none' pattern='TEXT' />
   <policy domain='coder' rights='none' pattern='SHOW' />
   <policy domain='coder' rights='none' pattern='WIN' />
   <policy domain='coder' rights='none' pattern='PLT' />
 </policymap>

If the <policymap> block already exists in the file, just add to it the above 'policy domain='coder' lines.

Other mitigation approaches are listed in ACE-5358.

Admin Password is Reset after Upgrade to 5.1.x

Severity: High

Impact: Access to the administrator account of Alfresco.

Exploitable: Remotely by unauthenticated users.

Related Issues: MNT-16259

Affects: Installations upgraded from any previous version of Alfresco to a release containing Alfresco Platform 5.1 may be affected. This includes installations upgraded to Alfresco One 5.1.0 and Alfresco Community Edition 201512 EA (containing Alfresco Platform 5.1.d), Alfresco Community Edition 201602 GA (containing Alfresco Platform 5.1.e), Alfresco Community Edition 201604 (containing Alfresco Platform 5.1.f), and Alfresco Community Edition 201605 (containing Alfresco Platform 5.1.g). Alfresco One 5.1.1 and future versions of Community Edition will not be affected.

Fixed in: Alfresco One 5.1.1 and versions of Community Edition after 201605.

Description

Administrators who have upgraded from any version of Alfresco to a version containing bcrypt password hashing (introduced in Alfresco Platform 5.1.d) will have the admin user password reset to the default value during upgrade if:

• They originally installed Alfresco using the installer and set the admin password during the install,
  
• Or are multi-tenant users who set the admin password when creating the tenant domain.
  

Installations where the 'admin' user password has been manually changed since installing Alfresco will not be affected.

If the passwords are managed externally, there should be no problem. So installations without AlfrescoNTLM in the auth-chain should not be affected.

Mitigation Strategies: It is recommended that administrators manually change the admin user password after upgrading.

Multi-tenancy is also affected. Any 'admin@<tenant domain>' password should also be changed.

Vulnerability Details

The bug itself is actually with the installers (pre-5.1.0). Prior to the introduction of bcrypt password hashing in the Alfresco Platform 5.1.d, there were two passwords in Alfresco for every user: MD4 and SHA256. When you place a non default password in the installer, it updates only the MD4 record as a property in alfresco-global.properties and when Alfresco is first bootstrapped, it reads the hash from the property and creates 'admin'. However when the password was created for admin in the installer, only MD4 was updated (via the property). SHA256 was not updated and still points to the default 'admin' password. Generally that's fine, as MD4 is used by default in the system and you won't notice it. But when you are upgrading (by any means), the new 5.1.0 system with bcrypt is looking at the SHA256 hashes and in these cases it is still 'admin'.

HTML Injection Issues

Severity: Medium

Impact: HTML injection.

Exploitable: Remotely by authenticated users.

Related Issues: No public issues.

Affects: All currently active versions of Alfresco prior to the fix versions listed below are impacted by this issue.

Fixed in: Alfresco has released hotfix versions on the latest service pack for all the currently supported major versions: Alfresco One versions 5.1.0.1, 5.0.3.2, 4.2.6, 4.1.10.10, 3.4.14.20. Alfresco Community Edition 201504 GA which includes Alfresco Platform 5.1.f and Alfresco Share 5.1.f.

Description

Recently several HTML injection vulnerabilities were discovered during routine penetration tests. Though most of the issues were addressed in the April release of Alfresco Community Edition, we decided not to release details until we had completed our audit for similar problems because these issues were identified internally and were not disclosed outside of Alfresco. The security issues themselves are rated as 'Medium', and per our security policy do not require a public Security Advisory, but we include them in SA-8 to encourage people to upgrade to the latest releases of Alfresco. The fixes were included Community Edition 201604 as part of our regular release of bug fixes. We did not identify additional fixes of this type for Alfresco Community Edition 201605.

Because so many issues were identified, we feel that the clearest way to disclose these vulnerabilities is by summarizing them in this Security Advisory. More details about a specific issue are available through Alfresco Support.

Mitigation Strategies: The most reliable way to mitigate these vulnerabilities is to regularly upgrade Alfresco to receive the latest fixes.  These vulnerabilities require a knowledgeable attacker who has access to upload to the system and a victim whose browser security settings allow the execution of malicious HTML code, so mitigation strategies include limiting access to the system to trusted individuals and deploying client-side browser defenses. Many of this issues were not reproducible with the Chrome browser.

Vulnerability Details

HTML injection into invite and other emails: It's possible to inject HTML into emails where they are sent out from a site. This includes but is not limited to site invites and task creation. This can lead directly to CSRF and privacy tracking issues. It might be possible to also leverage this to create an XSS opportunity.

HTML injection in Leave Site: If the site name contains XSS injection code then it's possible to inject HTML, XSS when leaving a site.

HTML injection in Search page: If a user's first name or last name contains XSS injection code then it's possible to inject HTML, XSS when a user searches for documents with faceted search enabled.

HTML injection in Search field from Add / Invite users to site: If a user's first name or last name contains XSS injection code then it's possible to inject HTML, XSS when that user is added to a site

HTML injection in Dashlets: When having a site name consisting of XSS injection code, several dashlets can be affected.

• HTML injection in Image Preview Dashlet
  
• HTML injection in Wiki Dashlet
  
• HTML injection in Saved Search Dashlet
  
• HTML injection in My Discussion dashlet
  

HTML injection in WCMQS site - Blog section: Uploading a file to a WCMQS site's blog, the XSS cen be injected when the 'Preview Web Asset' option is selected on that file.

Manage Aspects page is unusable after creating a custom model with an aspect having an HTML/XSS injection in Display Label: In the Model Manager (new in 5.1.0), creating an aspect with XSS injection code as the display label causing the Manage Aspects aspects to be empty and unusable.

HTML injection in Document Library when a document is locked for Edit Offline by a specific user: If a user's first name or last name contains XSS injection code, if that user Edits Offline a document then this code can be injected in the subsequent message 'This document is locked by' when the document library is browsed to.

HTML injection in WCMQS site - Blog - Leave a comment: Opening a blog from the Latest Blog Articles list and adding a comment that contains XSS injection code can lead to that XSS being injected.

HTML injection in Saved Search / Site Search dashlets (query): It's possible to inject HTML or XSS when adding a search 'img' to Saved Search or Site Search Dashlet when a Site Links dashlet with a link containing XSS injection code

HTML injection in WCMQS site - Author field from edit Blog: Previewing a HTML file ('Preview Web Asset' option) added to a WCMQS blog who's author field contains XSS injection code can lead to the XSS being injected

HTML injection in WCMQS site - Blog - Quick Edit menu: Using quick edit on a WCMQS blog who's title the title contains XSS injection code can cause XSS to be injected.

Custom Type - Property is injected when using an HTML/XSS injection in Description: When XSS injection code is set as a descrption for a property as part of a custom Type within the Model Manager, when that model is activated and that type is applied to content, editing the properties of that content can cause the XSS injection code to be injected.

Security Advisories